Meta Data Is Not Stripped From images in polonel/trudesk

Valid

Reported on

May 23rd 2022

Hey team, while uploading site/page logo as an administrator, The meta data of the image like geolocation, device information, version, nameetc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata checker etc which is publicly available.

Steps to reproduce:

Upload site/page logo
copy the image location and save it or check the meta data directly by this site http://exif-viewer.com
The all information on the image(meta data) will be publicly disclosed

Patch recommendation:

Remove the meta data from uploaded images

Impact

This vulnerability impacts and violates the privacy of the one who uploads the image, because the meta data will be publicly accessible by third party attackers via the common predictable endpoint http://127.0.0.1:8118/assets/topLogo.jpg

References

https://huntr.dev/bounties/ff878be9-563a-4d0e-99c1-fc3c767f6d3e

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago

Akshay Ravi

commented a year ago

Researcher

#Note:

Hey @maintainer, As an normal user can also access the image with no privileges, beacuse the site logo is common for all..here is the POC👇:

I was added the CVSS score as low(3.3), feel free to change it to medium or higher than (3.3) if you wish as per these impacts, thanks

We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago

Chris modified the Severity from Low (3.3) to Medium (4.6) a year ago

Chris assigned a CVE to this report a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Chris validated this vulnerability a year ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Chris

commented a year ago

Maintainer

This has been fixed and will release with version 1.2.3 I will update this report once released.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago

Chris marked this as fixed in 1.2.3 with commit ae904d a year ago

Chris has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago

Akshay Ravi

commented a year ago

Researcher

#Note:

Hey @maintainer, As an normal user can also access the image with no privileges, beacuse the site logo is common for all..here is the POC👇:

I was added the CVSS score as low(3.3), feel free to change it to medium or higher than (3.3) if you wish as per these impacts, thanks

We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago

Chris modified the Severity from Low (3.3) to Medium (4.6) a year ago

Chris assigned a CVE to this report a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Chris validated this vulnerability a year ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Chris

commented a year ago

Maintainer

This has been fixed and will release with version 1.2.3 I will update this report once released.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago

Chris marked this as fixed in 1.2.3 with commit ae904d a year ago

Chris has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation